Coronavirus - Data processing in times of the COVID-19 crisis


People Capabilities In this section you can find Services Banking and Finance Banking and Finance overview Asset & Lease Finance Capital Markets Corporate Debt Fintech Islamic Finance Leveraged Finance Project, Energy and Infrastructure Finance Real Estate Finance Restructuring and Insolvency Securitization and Structured Finance Trade and Export Finance Competition, Trade and Foreign Investment Construction and Engineering Construction and Engineering overview Construction Disputes Contracts and Procurement EPC Project Advisory Corporate and M&A Corporate and M&A overview Capital Markets Corporate Governance International Corporate Reorganizations Joint Ventures Mergers and Acquisitions Private Equity Venture Capital Corporate Crime Corporate Crime overview Anti-Bribery and Corruption Anti-Money Laundering International Sanctions and Export Controls Regulatory Investigations and Enforcement Data Privacy, Security and Technology Data Privacy, Security and Technology overview Cybersecurity Data Privacy Disruptive Technology Electronic and Mobile Commerce Information Law Product Counseling Regulatory Defense and Litigation Technology Transactions and Sourcing Telecom Services Employment, Labor and Pensions Employment, Labor and Pensions overview Corporate Transactions Cross-Border Employment and Pensions Employee Benefits and Executive Compensation Employment Employment Litigation Global Mobility and Immigration Labor and Industrial Relations Pensions Risk Transfer and Management Financial Services Regulation Financial Services Regulation overview Asset Management Crypto Assets Derivatives Financial Services Disputes and Investigations Funds Insurance Intellectual Property Intellectual Property overview IP Audits and Assessments IP Litigation IP Transactional Patents Trademarks, Trade Dress and Copyrights Trade Secrets Konexo Konexo overview Legal Services Interim Resourcing Data and Cyber Consulting Legal Team Consulting Litigation and Dispute Resolution Litigation and Dispute Resolution overview Class Actions Commercial Litigation Construction Disputes Energy Disputes Environmental, Health and Safety Financial Services Disputes and Investigations Fraud Insurance and Reinsurance Disputes International Arbitration Procurement Disputes Professional Liability Real Estate Disputes Regulatory Investigations and Enforcement Tax Controversy and Litigation Real Estate and Planning Real Estate and Planning overview Commercial Development and Leasing Corporate Real Estate Planning and Environmental Real Estate Disputes Real Estate Finance Living Strategic Contracts Strategic Contracts overview Contract Modernization Outsourcing Strategic Partnerships Tax Industries Consumer Consumer overview Food and Beverage Luxury Retail and Wholesale Education Energy Energy overview Clean Energy Energy Regulatory Hydrogen Nuclear Oil and Gas Power Financial Services Financial Services overview Corporate and Investment Banking Private Capital Retail Banking and Consumer Finance Governments and Infrastructure Governments and Infrastructure overview Governments and Strategic Projects Infrastructure Transportation Industrials Industrials overview Aerospace, Defense and Security Automotive Chemicals Manufacturing and Industrial Engineering Life Sciences and Healthcare Real Estate Real Estate overview Alternative Assets Office and Industrial Real Estate Investment Retail and Mixed Use Transport Related Real Estate Technology & Digital Technology & Digital overview Digital Content Digital Infrastructure Technology Resources Insights Client tools Events and training Business topics About About us Firm leadership Purpose and values Responsible business Community Diversity and inclusion Environmental sustainability Pro bono Reports Alumni News Careers Global careers Applications Why us? Lawyers and partners Business professionals Students and recent graduates Offices United Arab Emirates Visit global site Select a local version of the site Angola Asia Austria Belgium Bulgaria Czech Republic Estonia Finland France Germany Hungary Iraq Ireland Italy Jordan Latvia Lithuania Luxembourg Mauritius Mozambique Netherlands Poland Portugal Qatar Romania Saudi Arabia Slovakia South Africa Spain Sweden Switzerland Tunisia United Arab Emirates United Kingdom United States Rest of the world en Select language English Coronavirus - Data processing in times of the COVID-19 crisis - Germany Home Resources Insights Home Resources Insights Coronavirus - Data processing in times of the COVID-19 crisis - Germany Coronavirus - Data processing in times of the COVID-19 crisis - Germany March 31, 2020 Germany Germany Germany What is going on? On 30 January 2020, the WHO announced an international health emergency due to the progressing spread of the coronavirus. In the meantime, the spread was explicitly classified a pandemic. A large number of countries have closed their borders and companies significantly cut back on their activities in order to avoid the spread and infections. Due to official instructions, companies are partly forced to fully shut down. Closed down factories due to quarantines have led to a high loss of production for a large number of companies. All of this has put a severe strain on interna-tional trade relations, mainly due to supply shortages, interrupted transport routes and short-term cancellations of events, employees working short of their capacity, loss in revenue and possibly existential risks for companies. On top of these issues, companies must deal with the risk of infection in their own organisations and find ways to handle the information flow to their workforce to delay the rapid spread of the virus as long as possible and to help reducing the pressure on the health care system. To what extent could I be affected? A large number of companies are currently considering to what extent they may process personal data of employees, guests and visitors in order to be able to implement particular measures in connection with the coronavirus. What do I need to know from a legal perspective? \| Are companies permitted to examine their employees, guests and visitors to determine whether they are infected with the coronavirus? Principally no. In case of doubt, the companies should contact the competent health authority instead of collecting health data at their own discretion or against the data sub-jects' will (e.g. through measuring the temperature). In exceptional cases other approaches are possible if the data subject agrees on a voluntary basis. \| Are companies permitted to ask their employees, guests and visitors whether they had recently been to risk areas or had contact with any person that was verifiably infected? Yes. \| Are companies permitted to inform their employees, guests and visitors that a certain person is verifiably infected and that they could be a contact person? Only as last resort. Due to a risk of stigmatisation, companies should undergo a three-stage process: 1st stage: companies should warn such persons on a department or team level who were in direct contact with the infected person (without naming the infected person) 2nd stage: companies should contact the competent health authorities and ask for their decisions 3rd stage: companies should warn other persons (including naming the infected person) \| Are companies permitted to collect their employees' private contact data in order to be able to contact them in case protection measures must be taken (such as closure of the business)? According to the Data Protection Officer of the Federal State of Baden-Wuerttemberg, this is only permissible with the employees' consent. We, in contrast, believe that in this exceptional situation companies may collect private contact details of employees who do not have a business mobile phone also without their permission. Companies may then contact the employees via their private contact details if both of the following preconditions are met at the same time: The protection measure must be taken so quickly (e.g. late at night) that it was not possible to contact the employees via their business contact details and; the protection measure is so crucial (e.g. closure of the business) that it would not be acceptable to only contact the employees the next day via their business contact details. What can I do now and what is there to observe? \| What must companies observe when their employees are working from home? One of the most important preventive measures against the spread of the coronavirus is social distancing. Therefore, a large number of companies have decided to have their employees work from home. Principally, data protection laws do not exclude work from home. When work is transferred into the employee's private environment, however, the companies' capability to influence and control decreases and simultaneously the risk of an unauthorised disclosure of and/or an unauthorised access to personal data by third parties increases (data breaches which might trigger a notification obligation with the competent supervisory authority). As a result, companies should take adequate measures to ensure data protection when working from home and when documents and data carriers are transported between the business premises and homes. \| Which measures can companies take in order to ensure data secu-rity when working from home? The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures: employees' access to sensi-tive personal data only with a PIN and a hardware-based trust anchor (two-factor authentication) connection exclusively via a so called virtual private network (VPN) encryption of the data (end-to-end security) incl. storage encryption on the mobile device locking USB and other connections no connection of printers no private use of the IT equipment provided for work, regular trainings/education of the employees with regard to a use of mobile equipment ensuring data security and the compliance with data protection laws \| Which measures can companies take to ensure data security during the transport of documents and data carriers between the business premises and homes? The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures: data carriers must always be transported encrypted and paper documents in closed containers; data carriers and documents may never be left unattended. \| Can companies take additional measures to monitor employees working from home? No. For monitoring measures applied to employees working from home, the same standards must principally be maintained as with employees regularly working on the business premises. Companies with works councils must first consult the works council in any case. \| Are companies obliged to enter in-to a separate agreement regarding work from home with the employees? Yes, we recommend the conclusion of an agreement. From a data protection perspective, this agreement should in particular regulate the respective responsibilities, the relevant data protection measures and the control and access rights of the company with regard to the employee's home. Companies with works councils must first consult the works council in any case. Helpful resources Frequently Asked Questions (FAQ) with regard to corona of the Data Protection Officer of the Federal State of Baden-Wuerttemberg Information on data protection law for the processing of personal data by the employer in connection with the corona pandemic of the independent data protection authorities of Germany and its federal states Write to us at covid19@eversheds-sutherland.de The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer. Key contacts Nils Müller Partner Munich, Germany \| Hamburg, Germany Dr. Constantin Herfurth Principal Associate Munich, Germany Latest Insights legal updates Global Life Sciences & Healthcare Bulletin legal updates Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts Tax NOLs in Cross-Border Structures Webinar legal updates EU Pay Transparency Directive Latest News client news A blueprint for growth: Eversheds Sutherland supports Leonard Design Group restructuring and MBO client news Next stop, public ownership: Eversheds Sutherland advises DfT on GTR transition firm news Eversheds Sutherland strengthens restructuring offering with senior partner appointment firm news Eversheds Sutherland strengthens Commercial Advisory practice with technology partner hire Latest Events virtual \| June 09, 2026 UK employment law training virtual \| June 16, 2026 Nordic (Denmark, Finland, Norway and Sweden) employment law training virtual \| June 23, 2026 Introduction to Swiss employment law virtual \| September 10, 2026 UAE - Employment law in the Dubai International Financial Centre Tabs Label legal updates June 03, 2026 Global Life Sciences & Healthcare Bulletin legal updates May 29, 2026 Consumer Lens - Session 1 \| The Rise of European Class Actions podcasts and webcasts May 29, 2026 Tax NOLs in Cross-Border Structures Webinar legal updates May 28, 2026 EU Pay Transparency Directive Legal notices Terms & conditions Privacy notice Cookies Whistleblowing List of ES(I) LLP Members LinkedIn Facebook YouTube Connect Contact us Client login Staff login Subscribe About us About Eversheds Sutherland Purpose and values Responsible business Alumni Insights Client tools Events and training Business topics Careers Offices © Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website.

What is going on?

On 30 January 2020, the WHO announced an international health emergency due to the progressing spread of the coronavirus. In the meantime, the spread was explicitly classified a pandemic. A large number of countries have closed their borders and companies significantly cut back on their activities in order to avoid the spread and infections. Due to official instructions, companies are partly forced to fully shut down. Closed down factories due to quarantines have led to a high loss of production for a large number of companies.

All of this has put a severe strain on interna-tional trade relations, mainly due to supply shortages, interrupted transport routes and short-term cancellations of events, employees working short of their capacity, loss in revenue and possibly existential risks for companies.

On top of these issues, companies must deal with the risk of infection in their own organisations and find ways to handle the information flow to their workforce to delay the rapid spread of the virus as long as possible and to help reducing the pressure on the health care system.

To what extent could I be affected?

A large number of companies are currently considering to what extent they may process personal data of employees, guests and visitors in order to be able to implement particular measures in connection with the coronavirus.

What do I need to know from a legal perspective?

| Are companies permitted to examine their employees, guests and visitors to determine whether they are infected with the coronavirus?

Principally no. In case of doubt, the companies should contact the competent health authority instead of collecting health data at their own discretion or against the data sub-jects' will (e.g. through measuring the temperature). In exceptional cases other approaches are possible if the data subject agrees on a voluntary basis.

| Are companies permitted to ask their employees, guests and visitors whether they had recently been to risk areas or had contact with any person that was verifiably infected?

Yes.

| Are companies permitted to inform their employees, guests and visitors that a certain person is verifiably infected and that they could be a contact person?

Only as last resort. Due to a risk of stigmatisation, companies should undergo a three-stage process:

1st stage: companies should warn such persons on a department or team level who were in direct contact with the infected person (without naming the infected person)
2nd stage: companies should contact the competent health authorities and ask for their decisions
3rd stage: companies should warn other persons (including naming the infected person)

| Are companies permitted to collect their employees' private contact data in order to be able to contact them in case protection measures must be taken (such as closure of the business)?

According to the Data Protection Officer of the Federal State of Baden-Wuerttemberg, this is only permissible with the employees' consent. We, in contrast, believe that in this exceptional situation companies may collect private contact details of employees who do not have a business mobile phone also without their permission. Companies may then contact the employees via their private contact details if both of the following preconditions are met at the same time:

The protection measure must be taken so quickly (e.g. late at night) that it was not possible to contact the employees via their business contact details and;
the protection measure is so crucial (e.g. closure of the business) that it would not be acceptable to only contact the employees the next day via their business contact details.

What can I do now and what is there to observe?

| What must companies observe when their employees are working from home?

One of the most important preventive measures against the spread of the coronavirus is social distancing. Therefore, a large number of companies have decided to have their employees work from home. Principally, data protection laws do not exclude work from home. When work is transferred into the employee's private environment, however, the companies' capability to influence and control decreases and simultaneously the risk of an unauthorised disclosure of and/or an unauthorised access to personal data by third parties increases (data breaches which might trigger a notification obligation with the competent supervisory authority). As a result, companies should take adequate measures to ensure data protection when working from home and when documents and data carriers are transported between the business premises and homes.

| Which measures can companies take in order to ensure data secu-rity when working from home?

The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures:

employees' access to sensi-tive personal data only with a PIN and a hardware-based trust anchor (two-factor authentication)
connection exclusively via a so called virtual private network (VPN)
encryption of the data (end-to-end security) incl. storage encryption on the mobile device
locking USB and other connections
no connection of printers
no private use of the IT equipment provided for work, regular trainings/education of the employees with regard to a use of mobile equipment ensuring data security and the compliance with data protection laws

| Which measures can companies take to ensure data security during the transport of documents and data carriers between the business premises and homes?

The Federal Commissioner for Data Protection and Freedom of Information in particular recommends the following measures:

data carriers must always be transported encrypted and paper documents in closed containers;
data carriers and documents may never be left unattended.

| Can companies take additional measures to monitor employees working from home?

No. For monitoring measures applied to employees working from home, the same standards must principally be maintained as with employees regularly working on the business premises. Companies with works councils must first consult the works council in any case.

| Are companies obliged to enter in-to a separate agreement regarding work from home with the employees?

Yes, we recommend the conclusion of an agreement. From a data protection perspective, this agreement should in particular regulate the respective responsibilities, the relevant data protection measures and the control and access rights of the company with regard to the employee's home. Companies with works councils must first consult the works council in any case.

Helpful resources

Frequently Asked Questions (FAQ) with regard to corona of the Data Protection Officer of the Federal State of Baden-Wuerttemberg
Information on data protection law for the processing of personal data by the employer in connection with the corona pandemic of the independent data protection authorities of Germany and its federal states

Write to us at covid19@eversheds-sutherland.de

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.